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USER AUTHENTICATION APPARATUS, METHOD OF USER AUTHENTICATION, 

AND STORAGE MEDIUM THEREFOR 

This application is related to and claims priority to Japanese Patent Application No. 11- 
198061, filed July 12, 1999 in Japan, the contents of which are incorporated herein by 
reference. 

BACKGROUND OF THE INVENTION 

1 . Field of the Invention 

The present invention relates to user authentication for allowing use of apparatus, 
systems and services. 

2. Description of the Related Art 

In recent years, improvement in the maintenance of networks and lower hardware 
prices, such as for personal computers and communication apparatuses, have established an 
environment in which any person can easily transmit or receive electronic mail (hereinafter 
referred to as E-mail) through the Internet or to read WWW (World Wide Web) information in 
various places such as houses, companies and outdoor areas. 

More particularly, in any company, there is an attempt to quickly and effectively 
process jobs through an intranet and an extranet by implementing a client/server type job 
system utilizing networks, in addition to existing host centralized job systems, which mainly 
consist of a main frame. 

As explained above, currently it is possible for anyone to utilize various kinds of 
electronic systems in houses and companies. However, in these systems, a user is requested, 
at the time of using a service of a system, to input a characteristic ID and a password so that 
the system can perform an authentication process for determining whether or not the user has 
the qualification to receive the service by referencing the characteristic ID and password 
information input by the user. 
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Moreover, even an operating system (OS) of a personal computer performs the 
authentication process utilizing the ID and password to restrict the user or to change settings 
for various environments. 

As explained above, the user must prepare and remember multiple sets of ID and 
5 password corresponding to each system to utilize various systems, applications, services, 

including WWW pages and/or sites (hereinafter, collectively referred to as an application) in 
houses, outdoor areas and companies. 

When a small number of applications are used, the user is capable of memorizing the 
ID and password, but when the user utilizes a plurality of applications, the user may forget the 
10 ID and password. 

To avoid the event, in which the user cannot utilize the application because the user has 
^ forgotten the ID and password, many users have generally introduced an operation mode which 
iO requires the user to write the ID and password on a note pad, including a digital note pad, for 

the authentication process. 
!;|5 In addition, companies have generally introduced an operation mode in which magnetic 

CO cards in which an employee number information is recorded and distributed to employees and 
JL the authentication process is executed using such magnetic cards. 

=•? As an example of another related art, there is a Japanese Published Unexamined Patent 

2 Application No. HEI 7-6491 1, in which reliability is reinforced and sufficient authentication is 
□0 assured. 

This reference discloses a system having a host computer and a plurality of terminals 
connected thereto, whereby an IC card or a magnetic card is designed to store a plurality of 
personal authentication data (identifying information, password, handwriting and finger print 
or the like). Each terminal is provided with a keyboard and tablet, a magnetic card reader and 

25 an IC card reader for inputting the plurality of personal authentication data. Selected personal 
authentication data are input for the purpose of comparison or authentication. 

As explained above, the operation mode in which the ID and password written on the 
note pad are input during the authentication process creates a problem in that contents of the 
note pad may be read by another person and the ID and password may be leaked such that the 

30 application can be used illegally or by unauthorized users. 
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Moreover, while the authentication process utilizing the magnetic card has the benefit 
that manipulation by the user can be done easily because it is only required for the card reader 
to read the magnetic card, the authentication process may be done even when a person other 
than the true card holder causes the card reader to read the magnetic card. As a result, 
5 security level is rather low and illegal access to the system cannot be prevented. 

In addition, the reference HEI 7-64911 provides higher security by utilizing a plurality 
of personal authentication data, improving security for one application. However, the 
authentication process disclosed in HEI 7-64911 does not improve the security for more than 
one application and does not simplify the authentication manipulation by the users. 

10 

SUMMARY OF THE INVENTION 
S Therefore, it is an object of the present invention to provide an authentication control 

Hi apparatus, system or storage medium simplifying manipulation or use of a plurality of 
fy applications by a user and for improving security in an environment using the plurality of 
3 5 applications. 

® According to the present invention, a user is required to memorize only one piece of 

p identifying information for accessing more than one application and is freed from memorizing 
j authentication information of all the applications the user desires to access or use. Further, 
,C comparison of the identifying information for user authentication is performed by using a 
J:f 0 storage medium such that the apparatus according to the present invention issues or generates a 
comparison request to the storage medium for user authentication and receives the result of the 
comparison (authentication) from the storage medium. Therefore, in the present invention the 
apparatus does not directly access the storage medium to read authentication information of the 
applications, which improves security of the authentication information stored in the storage 
25 medium for achieving a high level security. 

Further, a similar operation effect can be attained with a program according to the 
present invention instructing a computer to execute the processes explained above. 

As explained above, a user can utilize a plurality of applications by memorizing only 
one identifying information and therefore it is now possible to prevent another person from 
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directly accessing the authentication information of the applications and tapping into the 
applications. 

Further, since the authentication information stored in the storage medium can be 
updated by only a single input, some input procedures for updating the authentication 
5 information can be saved or eliminated. 

In view of attaining the objects explained above, an apparatus of the present invention 
for user authentication comprises a control unit controlling comparison (authentication) of 
identifying information input by a user with identifying information stored in a storage 
medium, which also stores authentication information for a plurality of applications 
10 corresponding to the stored identifying information. The apparatus of the present invention 

further includes a setting unit setting or supplying the stored authentication information for an 
*R object application or target application selected from the plurality of applications depending on 
m or responsive to the result of the comparison as input information for authentication system of 
ry the object application or target application for user authentication. 

;;S5 Moreover, the apparatus of the present invention comprises a control unit controlling 

fees? 

03 comparison (authentication) of identifying information input by a user with identifying 
f«i information stored in a storage medium, which also stores authentication information for a 

plurality of applications corresponding to the stored identifying information. The apparatus of 
~g the present invention further includes an update control unit controlling, depending on or 

y|0 responsive to the result of the comparison, update of the stored authentication information for 

P 

an object application or target application to a new authentication information input by the 
user, and an update processing unit synchronously updating the stored authentication 
information using the newly input authentication information. 

Moreover, the apparatus of the present invention comprises a control unit controlling 
25 comparison (authentication) of identifying information input by a user with identifying 
information stored in a storage medium, which also stores certificates for a plurality of 
applications corresponding to the stored identifying information. The apparatus of the present 
invention further includes an instructing unit to instruct, depending on or responsive to the 
result of the comparison, reading of a desired certificate from the plurality of stored certificates 
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and a providing unit providing the certificate read from the storage medium to an object 
application or target application for authentication. 

Moreover, the present invention may be structured by an authentication control system 
comprising the apparatuses and the storage medium explained above. 
5 Moreover, the storage medium according to the present invention may be a portable 

storage medium, such as a IC card or a hand-held terminal, comprising an interface unit 
sending or receiving information to/from an external side and a memory unit storing sets of 
application identifying information and corresponding authentication information. The 
memory unit also stores information of the storage medium. The storage unit further includes 
10 a comparing unit comparing identifying information supplied from the external side with the 
n identifying information stored in the storage medium and a processing unit providing, 
^ depending on or responsive to the result of the comparison, the authentication information for 
jr an object application or target application. 

Moreover, a program controls a computer apparatus to perform a process according to 
05 the present invention including controlling the comparison of identifying information input by a 

user with identifying information stored in a storage medium, which also stores authentication 
O information for a plurality of applications corresponding to the stored identifying information, 
p The program controls the computer apparatus to further perform a process including setting or 
J supplying the stored authentication information for an object application or target application 
[JO selected from the plurality of applications depending on or responsive to the result of the 

comparison as input information for authentication system of the object application or target 
application for user authentication. 

Moreover, a program controls a computer apparatus to perform a process according to 
the present invention including controlling comparison of identifying information input by a 
25 user with identifying information stored in a storage medium, which also stores authentication 
information for a plurality of applications corresponding to the stored identifying information. 
The program controls the computer apparatus to further perform a process including 
controlling, depending on the result of the comparison, update of the stored authentication 
information for an object application or target application to a new authentication information 
30 input by the user, and an update processing unit synchronously updating the stored 
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authentication information using the newly input authentication information. 

Additional objects and advantages of the invention will be set forth in part in the 
description which follows and, in part, will be obvious from the description, or may be learned 
by practice of the invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and other objects and advantages of the invention will become apparent and more 
readily appreciated from the following description of the preferred embodiments, taken in 
conjunction with the accompanying drawings of which: 

is a system configuration diagram of the present invention, 
is a diagram illustrating the schematic structure of the computer, 
is a process flowchart (No. 1) for explaining the authentication process in this 

is a process flowchart (No. 2) for explaining the authentication process in this 

is a diagram (No. 1) illustrating transition of displays in the authentication 

is a diagram (No. 2) illustrating transition of displays in the authentication 

is a process flowchart (No. 1) for explaining the update process of the 
authentication information in this embodiment. 

Fig. 8 is a process flowchart (No. 2) for explaining the update process of the 
authentication information in this embodiment. 

Fig. 9 is a diagram illustrating a display example in the update process of the 
25 authentication information. 

Fig. 10 is a process flowchart (No. 1) when the certificate is used at the time of reading 
the page protected by security. 

Fig. 11 is a process flowchart (No. 2) when the certificate is used at the time of reading 
the page protected by security. 
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Fig. 12 is a diagram (No. 1) illustrating transition of displays at the time of reading the 
Web site. 

Fig. 13 is a diagram (No. 2) illustrating transition of displays at the time of reading the 
Web site. 

5 Fig. 14 is a diagram illustrating the format of data recorded in the memory unit of the 

IC card. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Reference will now be made in detail to the preferred embodiments of the present 
10 invention, examples of which are illustrated in the accompanying drawings, wherein like 

reference numerals refer to the like elements throughout. The embodiments are described 
*fj below to explain the present invention by referring to the figures. 

-;j In this embodiment, a client/server system connected to a network will be explained as 

f y an example. Here, it is also possible to use a host centralized type system, which is mainly 

;;i5 composed of a main frame in place of the client/server system of this example. 

ffl Fig. 1 is a system configuration diagram of the present invention. 

JU As illustrated in Fig. 1, a client 1 is connected to a server 2 via the network 3. The 

-P client 1 accesses the server 2 through the network 3 to perform jobs utilizing application 

software on the server 2 and to download data from the server 2. 
30 Fig. 2 is a diagram illustrating a schematic structure of a computer provided as the 

client 1 . 

The client 1 is mainly composed of CPU 4, RAM 56, HDD (hard disk drive) 6, CD- 
ROM drive 7, FDD (floppy disk drive) 8, NCU (network control unit) 9, display unit 10, 
keyboard 11 and IC card reader/writer 12. 
25 In this figure, various programs use the CPU 4 to execute various processes and 

controls. Programs of the present invention also use the CPU 4 to execute processes and 
controls according to the present invention. 

Moreover, RAM 5 temporarily stores for the CPU 4 the data, such as the programs of 
the present invention and information according to the present invention, of various processes 
30 and controls and also stores the data for the display unit 10 to display the data. 
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The hard disk drive 6 and the floppy disk drive 8 record the data, such as the programs 
of the present invention and the information according to the present invention, to a non- 
volatile storage media (the hard disk and the floppy disk 14) and read the data from the storage 
media. 

5 The CD-ROM drive 7 reads the data stored in the CD-ROM 13. 

The network control unit 9 is connected to the network 3 to exchange the data with 
other apparatuses, such as other clients, via the network 3. With this network control unit 9, 
the data can be exchanged with the server 2 via the network 3. 

This network control unit may be a modem or a LAN card. Moreover, this unit may 
10 also be used to download the data, such as the program of the present invention and the 
information according to the present invention, from the server 2 and to receive services 
2 provided by the server 2. 

^} The programs of the present invention which are driven or executed in the client 1 can 

ffj be read respectively by the CD-ROM drive 7 and the floppy disk drive 8 from the CD-ROM 
35 13 and the floppy disk 14 on which the programs are recorded and can be installed on the hard 
CO disk drive 6. 

In addition, it is also possible that the programs of the present invention are 
*f downloaded from the other apparatuses via the network using the network control unit and the 
£ programs are then stored in the hard disk drive 6. 

So The programs of the present invention stored in the hard disk drive 6, as explained 

O 

above, are loaded into the RAM 5 to execute instructions and operate to realize each structural 
element of the present invention with the computer as the client. 

As explained above, it is also possible that the programs of the present invention are 
downloaded from the other apparatuses via the network and directly loaded in RAM 5, instead 
25 of recording the programs in the storage medium of the hard disk drive 6. 

The display unit 10 displays the data stored in the RAM 5 on a display area. The 
keyboard 11 is an input device for mainly inputting character information by the users. 
Although not illustrated in Fig. 1, a mouse is also provided to manipulate a mouse cursor 
displayed on the display area of the display unit 10. 
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The IC card reader/ writer 12 reads and writes the data from/to an IC card 15 (also 
called a smart card). This IC card 15 is provided, for example, with an integrated circuit (IC) 
on a plastic card. This integrated circuit includes contacts for electrical connection with the IC 
card reader/writer 12, a processing unit executing various processes and a memory unit for 
5 storing the data. 

In this example, the IC card reader/writer 12 and IC card 15 are physically in contact 
with each other to read or write the data, but it is also possible to use the non-contact type IC 
card reader/writer and IC card. 

As in the case of the client 1, programs of the present invention are also stored in the 
10 memory unit of the IC card 15 to operate or execute the processes of the present invention by 

controlling the processing unit of IC card 15. 
*5 The processes executed by the programs of the present invention will be explained in 

W detail. 

ry First, as an example, processes to authenticate the user by displaying a log-on image, 

j|5 with a predetermined input field for authentication information and inputting ID and password 
l§ will be explained with reference to Fig. 3 to Fig. 6. The log-on image is displayed at a time of 
JU starting an OS in an initial stage before providing services or access. 

-p Fig. 3 and Fig. 4 are process flowcharts explaining an authentication process according 

J to an embodiment of this invention. 

GO Moreover, Fig. 5 and Fig. 6 illustrate transition of display images in the authentication 

process. 

First, when the log-on image is displayed for inputting the authentication information 
(Fig. 5(a)), an image for inputting personal identifying information (hereinafter referred to as 
PIN) is displayed (Oil, Fig. 5(b)). 
25 Display of the PIN input image may be triggered by detecting that the log-on image has 

been displayed or by detecting that a display instruction button (not illustrated in Fig. 5) is 
manipulated by the user. 

When the user indicates that the authentication process should be canceled, while the 
PIN input image is displayed (012), the authentication process is canceled, which completes or 
30 terminates the authentication process. If the user inputs the PIN in the PIN input image using 
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the keyboard 11 to complete the required input; the input PIN is supplied to the IC card 15 
(013). 

In the IC card 15, the input PIN supplied from the client 1 is compared with the PIN 
stored in the memory unit (014). 
5 If, after the comparison (authentication) (014), the PIN input by the user does not 

match the PIN stored in the memory unit, mismatching information is transmitted to the client. 

Upon reception of the mismatching information from the IC card 15, the client 1 
displays, on the display area, a message indicating that the PIN input by the user is not correct 
(015, 016). 

10 If the PIN input by the user matches the PIN stored in the memory unit, the IC card 15 

transmits matching information to the client to set the client to a condition for allowing the 
JS client subsequent access to the IC card 15. 

* B ;j Once the client receives the PIN matching information from the IC card 15, the client 

ry requests a list of application names stored in records of the memory unit of the IC card 15. 

j2E5 The IC card 15 receives such request, then reads the application names stored in the records of 

IB the memory unit and supplies the application names to the client. 

f*i The client receives the application names from the IC card 15 and displays the 

*F application names on the display area as selection items (017, Fig. 6(c)). 

jt The user selects one of the application names and performs a selection determining 

■j|o manipulation (018). 

When the user selects the one application name, the client supplies the selected 
application name to the IC card 15 and requests the authentication information corresponding 
to the selected application name. In this case, the list of selection items displayed on the 
display area is erased. 

25 The IC card 15 receives the selected application name and the request to read the 

authentication information corresponding to the selected application name. The IC card 15 
determines if the selected application name matches one of the application names stored in the 
records of the memory unit. If the selected application name matches one of the application 
names stored in the records of the memory unit, the IC card 15 reads the authentication 
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information corresponding to the selected application and supplies the read authentication 
information to the client. 

The client receives the authentication information supplied from the IC card 15 and sets 
the received authentication information to the predetermined input field of the log-on image 
5 (Fig. 6(d)). 

When the authentication information is set to or placed in the input field of the log-on 
image, the user executes a determining manipulation. 

When input of the authentication information is established or complete, the selected 
application conducts or performs an authentication process (comparison process) (019). 
10 If a result of the authentication process of 019 provides that the authentication 

m information of the selected application matches the input authentication information, the log-on 
vO process of the selected application is executed (020). 

J Moreover, if the authentication information of the selected application does not match 

i U the input authentication information, the list of the application names displayed in 017 is 

r§5 displayed on the display area to execute again the processes of 018 to 020. 

m As explained above, according to this embodiment of the present invention, it is 

p possible to set the authentication information for the application in the log-on input field by 

p only inputting the PIN from the user and then selecting the desired application from the list of 

*P application names read from the IC card 15 and displayed on the display area. 

20 Accordingly, a user can use more than one application by only memorizing one 

identifying information, such as the PIN. Further, since only the processing unit of the IC 
card can read the data stored in the memory unit of the IC card, tapping by other persons to 
access the data stored in the memory unit of the IC card can be prevented. 

In the above example, the application displays the log-on image for requesting or 
25 inputting the authentication information. However, the present invention is never limited 

thereto and the present invention can also be applied to a password input image, for example, 
during recovery from a screen saver to prevent burning of a display screen of the display unit. 
Generally, the present invention can be applied to any application requiring input of the user 
ID and the password. 
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In above example, the user selects the desired application from the list of application 
names. However, if the client can obtain identifying information of the current application 
displaying the log-on image, the client can request the authentication information of the 
application displaying the log-on image from the IC card 15 based on the obtained identifying 
information. In this case, the client requests the authentication information of the application 
displaying the log-on image after the IC card 15 permits the client subsequent access to the IC 
card 15 depending on the comparison (authentication) of the PIN input by the user with the 
PIN stored in the IC card 15. 

Thereby, the process of displaying the list of application names and the process of 
requesting the user to select one of the application names may be saved or eliminated. 

An update process will be explained next comprising synchronizing the authentication 
information managed by the application with the authentication information stored in the IC 
card when updating the authentication information. 

Fig. 7 and Fig. 8 process flowcharts explain the update process. Moreover, Fig. 9 
illustrates a display image in the update process. 

First, when the application displays an update input image to update the password, the 
PIN input image is also displayed (021). 

The display of the PIN input image can be triggered by detecting that the application 
has displayed an existing password update input image prepared in the application or by 
detecting that the application has displayed an exclusive password update input image. 

If the user instructs the application to cancel, while the application displays the PIN 
input image (022), the application cancels the update process, completing or terminating the 
update process. If the user inputs the PIN in the PIN input image to instruct completion of 
input, the input PIN is supplied to the IC card 15 (023). 

In the IC card 15, the PIN supplied from the client is compared with the PIN stored in 
the memory unit (024). 

If after the comparison (024) the input PIN by the user does not match the PIN stored 
in the memory unit of the IC card 15 (025), the mismatching information is transmitted to the 
client. 
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The client receives the mismatching information from the IC card 15 and immediately 
displays, on the display area, the message indicating that the input PIN by the user is not 
correct (026). 

If the input PIN by-fe' matches the PIN stored in the memory unit of the IC card 15, 
5 the IC card 15 transmits the matching information to the client to set the client to the condition 
for allowing the client subsequent access to the IC card 15. 

Once the client receives the matching information from the IC card 15, the client makes 
effective or activates input fields of the password update input image of Fig. 9. 

The user respectively inputs an old password, a new password and the new password 
10 again for verification as input information in the activated input fields of the password update 
input image and the user manipulates the determining buttons inputting the input information, 
yg When the input information is determined for updating the password, the update 

^ process is executed and the client requests from the IC card 5 the list of application names 
f'C stored in the IC card 15. The IC card 15 receives such request, then reads the application 
f%5 names stored in the records of the memory unit and supplies the application names to the 
CO client. 

h The client receives the application names from the IC card 15 and displays the 

j; application names on the display area as selection items (027). 

K; p The user selects the application name currently displaying the update input image for 

j|0 which the user desires to update the authentication information and execute the selection 
determining manipulation (028). 

When the user selects the application name, each password information input by the 
user together with the selected application name is supplied to the IC card 15 as an update 
request. In this case, the list of selection items displayed on the display area is erased. 

25 The IC card 15 receives the update request and if the old password information input by 

the user matches a current password information in the password information field of the 
record for the selected application, the IC card 15 updates the password information field of 
the record for the selected application with the new password (029). 

If the old password information of the selected application input by the user (030) does 

30 not match the current password information in the password information field of the record for 
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the selected application, the application name list displayed in 027 is displayed on the display 
area to execute again the processes 028 to 030. 

With the processes explained above, the password of the application and the password 
of the application stored in the records of the memory unit of the IC card 15 can be updated by 
5 a single input of information by the user. Therefore, some input procedures for updating the 
application password by the user can be saved. 

Next, an example of using certificates stored into the IC card 15 will be explained. 
Each certificate is called a secret key, which is used, for example, by a data encryption 
application in a WWW server to read secured or protected Web pages of a WWW browser. 
10 Fig. 10 and Fig. 11 are process flowcharts for using the certificate at a time of reading 

the protected Web pages of the WWW browser. 
^ Moreover, Fig. 12 and Fig. 13 illustrate transition display images for reading a Web 

yrj site. 

First, when uniform resource locator (URL) of the page protected by security of the 
k$5 WWW browser is directly input or a link is designated, the WWW browser requests input of 
J5 the certificate (Fig. 12(a)). 

When the WWW browser issues this certificate request, the user sets the IC card 15 in 
3 the IC card reader/writer 12. 

% i When the IC card 15 is set, the PIN input image displayed (031, Fig. 12(b)). 

j|0 If the user instructs the application to cancel while the PIN input image is displayed 

M (032), the authentication process is canceled, completing or terminating the authentication 

process. If the user inputs the PIN in the PIN input image to instruct completion of input, the 
input PIN is supplied to the IC card 15 (033). 

In the IC card 15, the PIN supplied from the client is compared with the PIN stored in 
25 the memory unit (034). 

If after the comparison (034) the input PIN by the user does not match the PIN stored 
in the memory unit of the IC card 15, the mismatching information is transmitted to the client. 

The client receives the mismatching information from the IC card 15 and displays on 
the display area the message indicating that the input PIN by the user is not correct (035, 
30 036). 
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If the input PIN by the user matches the PIN stored in the memory unit of the IC card 
15, the IC card 15 transmits the matching information to the client to set the client to the 
condition for allowing the client subsequent access to the IC card 15. 

The client receives the matching information from the IC card 15 and immediately 
5 requests a list of certificate names stored in the IC card 15. 

The IC card 15 receives this request and reads information about the certificates stored 
in the memory unit and then supplies the information about the certificates to the client. 

The client receives the information about the certificate names from the IC card 15 and 
displays such information as the selection items on the display area (037, Fig. 13(c)). 
10 The user selects the certificate name corresponding to the WWW page and executes the 

selection determining manipulation (038). 
% % When the user selects the certificate name, the client supplies the information about the 

;H selected certificate name to the IC card 15 and requests the IC card 15 to read certificate data 

corresponding to the selected certificate name. In this case, the selection item list displayed on 
*M5 the display area is erased. 

f'S The IC card 15 receives the request to read the information about the selected certificate 

1. name and the certificate data and reads the information and the certificate data matched with 
^ the request from each record of the memory unit and then supplies the information and the 
^ certificate data to the client. 

£|0 The client receives the certificate data supplied from the IC card 15 and executes the 

authentication process using the certificate data (039). 

If the authentication process 039 is correct, the protected WWW page is displayed 

(040). 

If the certificate data is not correct, the list of certificate names displayed in 037 is 
25 displayed on the display area to execute again the processes of 038 to 040. 

As explained above, the certificate data is recorded on a portable type storage medium 
such as the IC card 15 without preparing or storing the certificate data in the client and such 
certificate data is used as required by reading from the storage medium. Thereby, the 
protected WWW page cannot be read when the storage medium storing the certificate data is 
30 not available even if another person uses the client, achieving a high level security. 



-15- 



Docket No. 21.1958/MS 

Finally, format of data stored in the memory unit of the IC card 15 will be explained. 

Fig. 14 illustrates a format of data stored in the memory unit of IC card. 

The memory unit of IC card 15 stores records corresponding to the applications. 

Each record is formed of an application ID, a user ID, the password, a domain and an 
5 extension field. 

The application ID field stores information identifying the application. Using this 
information, the client generates the selection item list and this information is a key for reading 
the authentication information. 

The user ID field stores the user ID corresponding to the application. 
10 The password field stores the password forming a pair with the user ID corresponding 

to the application. 

The domain field stores information which is not used for explaining the processes 
10 according to this invention but is used for log-on to the server. 

ry The extension field stores information indicating whether extension information 

*5 5 5 continues in the next record. 

u 

H Next, an authentication controlling apparatus according to the present invention will be 

L explained. The authentication controlling apparatus according to the present invention 
4S comprises a control unit controlling comparison of the identifying information input by the 
*5 user with the identifying information stored in the storage medium, which also stores the 
£30 authentication information, including certificates, for the applications corresponding to the 

stored identifying information. The apparatus further comprises a setting unit setting, as input 
information for authentication system of one of the applications, authentication information of 
the one application the storage medium send responsive to the result of the comparison 
(authentication) to the setting unit. 
25 In another embodiment, the setting unit sets the stored authentication information for 

the selected application responsive to the result of the comparison as input information to the 
selected application for user authentication. The apparatus further comprises a providing unit 
providing the identifying information input by the user to the storage medium and a receiving 
unit to receive the result of the comparison (authentication) of the input identifying information 
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with the identifying information stored in the storage medium performed by a comparing unit 
in the storage medium. 

According to another aspect of the present invention the authentication controlling 
apparatus comprises a display unit displaying the application names as the selection items when 
5 the result of the comparison (authentication) indicates that the identifying information input by 
the user matches the identifying information stored in the storage medium. The authentication 
controlling apparatus further comprises a selecting unit controlling selection of the object 
application as the selected application from the selection items, wherein the setting unit sets the 
stored authentication information for the selected application depending on the result of the 
10 comparison as input information to the selected application for user authentication. 

According to another aspect of the present invention the authentication controlling 
apparatus comprises a requesting unit controlling transmission of read requests to the storage 
4 ;J medium to read the information stored in the records of the storage medium, wherein the 
FU display unit displays as the selection items the read information about the applications stored in 
f|5 the records of the storage medium. 

iy The computer readable storage medium according to the present invention stores a 

□ program instructing the computer to perform a process comprising comparing the identifying 
*u information input by the user with the identifying information stored in the storage medium, 

storing in the records of the storage medium authentication information about the applications, 
*g0 selecting one of the applications and setting the stored authentication information for the 
selected application depending on the result of the comparison as input information to the 
selected application for user authentication. The process further comprises providing the 
identifying information input by the user to the storage medium and receiving the result of the 
comparison of the identifying information input by the user with the identifying information 
25 performed by the comparing unit of the storage medium. The process further comprises 
displaying the application names as the selection items when matching is the result of the 
comparison and controlling selection of the application from the selection items. 

The present invention is never limited to the embodiments explained above and may be 
changed or modified within the scope not departing from the spirit of the present invention, the 
30 scope of which is defined in the claims and their equivalents. 
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WHAT IS CLAIMED IS: 

1. A user authentication apparatus, comprising: 

a control unit controlling comparison of identifying information input by a user with 
characteristic identifying information stored in a storage medium storing authentication 
5 information for applications corresponding to the characteristic identifying information; and 

a set unit setting, as input information for an authentication system of one of the 
applications, authentication information of the one application the storage medium sends 
responsive to a result of the comparison to the set unit. 

10 2. A user authentication apparatus, comprising: 

f * a control unit controlling comparison of identifying information input by a user with 

characteristic identifying information stored in a storage medium storing authentication 

j* information for applications corresponding to the characteristic identifying information; 
* ^ an update unit controlling update of the authentication information of one of the 

r§5 applications selected by the user to new authentication information input by the user responsive 

m to a result of the comparison; and 

l« a processing unit synchronously updating the authentication information stored in the 

p selected application and the authentication information stored in the storage medium to the new 

*P authentication information input by the user. 

1° 

3. A user authentication apparatus, comprising: 

a control unit controlling comparison identifying information input by a user with 
characteristic identifying information stored in a storage medium storing a plurality of 
certificates for applications; 
25 an instructing unit instructing the storage medium to send a desired certificate in 

response to a result of the comparison; and 

a providing unit providing the certificate sent from the storage medium to the 
application in response to the instruction. 

30 
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4. A user authentication system, comprising: 

a storage medium storing authentication information for applications and characteristic 
identifying information; and 

a control unit comparing identifying information input by a user with the characteristic 
identifying information stored in the storage medium; and 

a set unit setting in one of the applications selected by the user the authentication 
information the storage medium sends responsive to a result of the comparison to the set unit, 
as input information for authentication by the one selected application. 

5. A user authentication system, comprising: 

a storage medium storing authentication information for applications and characteristic 
identifying information; and 

a control unit comparing identifying information input by a user with the characteristic 
identifying information stored in the storage medium; 

an update unit controlling update of the authentication information of one of the 
applications selected by the user to new authentication information input by the user responsive 
to a result of the comparison; and 

a processing unit synchronously updating the authentication information stored in the 
selected application and the authentication information stored in the storage medium to the new 
authentication information input by the user. 

6. A process of user authentication, comprising: 

comparing identifying information input by a user with characteristic identifying 
information stored in a storage medium storing authentication information for applications; and 

setting in one of the applications selected by the user the authentication information the 
storage medium sends responsive to a result of the comparison, as input information for 
authentication by the one selected application 
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7. A process of user authentication, comprising: 

comparing identifying information input by a user with characteristic identifying 
information stored in a storage medium storing authentication information for applications; 
controlling update of the authentication information of one of the applications selected 
5 by the user to new authentication information input by the user responsive to a result of the 
comparison; and 

synchronously updating the authentication information stored in the selected application 
and the authentication information stored in the storage medium to the new authentication 
information input by the user. 

10 

8. A storage medium storing an authentication information used to authenticate a 
l& user, comprising: 

an interface unit exchanging information with an external device; 
fy a memory unit storing identifying information for applications, the authentication 

jtj 5 information corresponding to the applications and characteristic identifying information; 
K a comparing unit comparing identifying information received from the external device 

L with the stored characteristic information; and 

*F a processing unit supplying the authentication information for applications to the 

5 external device in response to a result of the comparison. 

Qo 

9. A computer readable storage controlling a computer and comprising a process 

of: 

comparing identifying information input by a user with characteristic identifying 
information stored in a storage medium storing authentication information for applications; and 
25 setting the authentication information the storage medium sends in response to a result 

of the comparison as input information to one of the applications for authentication. 



30 
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10. A computer readable storage controlling a computer and comprising a process 

of: 

comparing identifying information input by a user with characteristic identifying 
information stored in a storage medium storing authentication information for applications; 

controlling update of the authentic information about one of the applications selected by 
the user to new authentication information input by the user in response to a result of the 
comparison; and 

synchronously updating the authentication information stored in the selected application 
and the authentication information stored in the storage medium for the selected application to 
the new input authentication information. 

11. A user authentication apparatus, comprising: 

a control unit controlling comparison of identifying information input by a user with 
characteristic identifying information stored in a storage medium storing authentication 
information for applications corresponding to the characteristic identifying information; and 

a set unit setting in one of the applications selected by the user the authentication 
information the storage medium sends responsive to a result of the comparison to the set unit, 
as input information for authentication by the one selected application, wherein the control unit 
further comprises: 

a providing unit providing the identifying information input by the user to the storage 
medium; and 

a receiving unit receiving the result of the comparison the storage medium sends 
responsive to the result of the comparison; and wherein the storage medium further comprises 
a comparing unit comparing the input identifying information provided to the storage medium 
with the characteristic identifying information stored in the storage medium. 

12. The apparatus of claim 11, further comprising: 

a display unit displaying application names as a selection items if the result of the 
comparison is matching; and 
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a selecting unit controlling selection of one of the applications by the user, wherein the 
set unit sets the authentication information of the selected application as input information to 
the selected application for authentication. 

5 13. The apparatus of claim 12, further comprising: 

a requesting unit requesting from the storage medium to send information about the 
applications, wherein the display controlling unit displays as the selection items the information 
received from the storage medium about the applications in response to the request. 

10 14. A computer readable storage controlling a computer and comprising a process 

of: 

O comparing with a comparing unit identifying information input by a user with 

In characteristic identifying information stored in a storage medium storing authentication 
Jj; information for applications; 

yl5 providing the identifying information input by the user to the storage medium; 

g receiving a result of the comparison the storage medium sends responsive to a result of 

* the comparison; and 

setting, as input information for an authentication system of one of the applications, the 
y authentication information the storage medium sends in response to the result of the 
r|0 comparison. 

15. The computer readable storage of claim 14, further comprising: 
selecting the one application from a selection items, wherein the process of setting 

comprises setting, as the input information for the authentication system of the selected one 
25 application, the authentication information of the selected one application. 

16. The computer readable storage of claim 15, further comprising: 
generating a request to the storage medium to send information about the applications, 

wherein the display controlling unit displays as the selection items the information about the 
30 application the storage medium sends in response to the request. 
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17. A user authentication apparatus, comprising: 

a storage medium storing characteristic identifying information and authentication 
information for applications and comparing identifying information input by a user with the 
characteristic identifying information stored in the storage medium; and 

a set unit setting in one of the applications selected by the user the authentication 
information the storage medium sends to the set unit responsive to a result of the comparison 
as input information for authentication by the one selected application. 

18. A user authentication apparatus, comprising: 

a storage medium storing characteristic identifying information and authentication 
information for applications and comparing identifying information input by a user with the 
characteristic identifying information stored in the storage medium; and 

a set unit setting, as input information for authentication system of one of the 
applications, the authentication information the storage medium sends to the set unit responsive 
to a result of the comparison. 

19. A user authentication apparatus, comprising: 

a control unit controlling comparison of identifying information input by a user with 
characteristic identifying information stored in a storage medium storing authentication 
information for applications corresponding to the characteristic identifying information; and 

a set unit setting in one of the applications selected by the user the authentication 
information the storage medium sends responsive to a result of the comparison to the set unit 
as input information for the authentication system of the one selected application for 
authentication by the one selected application. 

20. A user authentication apparatus, comprising: 

a storage medium storing characteristic identifying information and certificates 
for applications and comparing identifying information input by a user with the characteristic 
identifying information stored in the storage medium; and 

-23- 



Docket No. 21.1958/MS 

a set unit setting, as input information for authentication system of one of the 
applications, the certificate the storage medium sends to the set unit responsive to a result of 
the comparison. 
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ABSTRACT OF THE DISCLOSURE 

Apparatus of the present invention comprises a control unit controlling comparison of 
identifying information input by a user with identifying information stored in a storage 
medium, which also stores authentication information for applications corresponding to the 
stored identifying information. The apparatus also comprises a set unit setting, as input 
information for authentication system of one of the applications, the authentication information 
the storage medium sends to the set unit responsive to a result of the comparison. 
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